Bug 622801 - Missing rule for suexec
Missing rule for suexec
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 580448 620945
  Show dependency treegraph
 
Reported: 2010-08-10 09:03 EDT by Zbysek MRAZ
Modified: 2013-07-03 09:12 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-37.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:36:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zbysek MRAZ 2010-08-10 09:03:56 EDT
Description of problem:
When running the RHTS test /CoreOS/httpd/suexec/bug161893 I get following AVC

----
time->Tue Aug 10 09:01:23 2010
type=SYSCALL msg=audit(1281445283.733:42647): arch=c000003e syscall=59 success=yes exit=0 a0=7f257b253ff3 a1=7f257bc41810 a2=7f257bc40f00 a3=7fffa5627990 items=0 ppid=25377 pid=25388 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=16 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null)
type=AVC msg=audit(1281445283.733:42647): avc:  denied  { read write } for  pid=25388 comm="suexec" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1281445283.733:42647): avc:  denied  { read write } for  pid=25388 comm="suexec" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file



Version-Release number of selected component (if applicable):
RHEL6.0-20100805.0
httpd-2.2.15-4.el6.x86_64
selinux-policy-3.7.19-35.el6.noarch
Comment 1 RHEL Product and Program Management 2010-08-10 09:18:44 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 2 Daniel Walsh 2010-08-10 11:21:10 EDT
This looks like a leaked file descriptor potentially just a test problem.

But it could be caused by an admin doing a service httpd restart

Miroslav, since we have

   dontaudit httpd_t user_devpts_t : chr_file { ioctl read write getattr append open } ;

We need to do the same fot httpd_suexec_t.
Comment 3 Miroslav Grepl 2010-08-10 14:17:18 EDT
Added to selinux-policy-3.7.19-37.el6.noarch
Comment 5 Miroslav Grepl 2010-09-01 05:54:54 EDT
Milos,
did the test pass successfully?


Looks like we also need to add the same change for httpd_user_script_t.
Comment 6 Milos Malik 2010-09-01 07:50:58 EDT
The test passed.
Comment 14 releng-rhel@redhat.com 2010-11-10 16:36:21 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.